Hello,
> thoughts?
>
> - jrun

When in doubt, do both.

I am running my home router as a couple of netns domains on one of the 
less-overworked servers in the basement, facilitated by a couple of 
"dumb" scripts that set it all up.

My setup: create a netns instance, move the machine's main interface 
into it, setup VLANs and bridges in there, and then add a veth interface 
to one of the bridges whose other end is moved back to the root namespace.

Bonus points, the router instance doesn't have any services (thus only 
needs FORWARD firewall rules) and can run on basically any local system 
with enough bandwidth. Just add VLANs to its interface on the switch.

Within that router netns I have separate VRFs for "sensitive" and 
"guest" traffic, mainly to simplify firewall rules and routing tables.

-- 
-- Matthias Urlichs